The new frontier for business liability may be the failure to adequately protect non-public personal information (“NPPI”). New federal and state laws, as well as agency regulations and industry standards, address not only the collection, protection and use of NPPI, but provide for criminal sanctions, imposition of fines and exposure to civil liability. Your collection of NPPI, even for a legitimate business purpose, could expose you to substantial liability.
NPPI is defined as personally identifiable data or information provided by a consumer, resulting from a transaction or service performed for the consumer, or otherwise obtained by the business. NPPI can include financial, health, purchasing, contact data, social security numbers and any other information personally identifiable to an individual. Businesses gather this information for a myriad of reasons, including extending credit, pursuing collections, advertising related products or services, and sometimes just to sell it. The reasons for collection are rarely relevant; it is the content of the data collected that determines the level of protection required.
A risk audit of your business includes an examination of the NPPI your business collects and retains; an analysis of the need to collect and retain that NPPI; an evaluation of the policies and procedures in place to retain, protect and discard it; and a determination of what NPPI is needed and for how long. Based on the audit, you can reduce liability exposure by refining your business’ collection, retention and protection policies. Employee access should be limited, and the importance of protection and confidentiality emphasized with employee training, secured files, password protection, restricted access and periodic review. Third party and vendor relationships should be evaluated for risks and protection.
While big data breaches and social media spying cases capture the headlines, any business that collects, retains and uses NPPI is at risk. You should consult an experienced and qualified professional for guidance on legal, industry and agency requirements, and consider insurance protection in the event of a data breach that could threaten your business.
Brooks, Tarulis & Tibble, LLC has the experience and qualifications to counsel and assist you regarding your business’ use of NPPI, and to represent you in the event of a claim, fine or criminal investigation. If we can help you or if you have any questions, please contact us.